What is Just in Time VM Access?

Just in time VM access enables you to lock down your VMs in the network level by blocking inbound traffic to specific ports. It enables you to control the access and reduce the attack surface to your VMs, by allowing access only upon a specific need.

How does it work?

Upon a user request, based on Azure RBAC, Security Center will decide whether to grant access. If a request is approved, Security Center automatically configures the NSGs to allow inbound traffic to these ports, for the requested amount of time, after which it restores the NSGs to their previous states.

Let’s see how to configure Just in Time VM Access. First, navigate to the “Security Center” blade and click “Just in Time VM Access”:

Security Cente

By default, no Virtual Machines are configured for JIT VM Access. You need to enable the feature, so select the “Recommended” tab:

Virtual Machines are configured

You should see your Virtual Machines in the following list. Select the VM for which the Just in Time VM Access must be enabled:

Select the VM for which the Just in Time VM Access must be enabled

To enable the feature, you must configure the ports for which the JIT VM Access will be applicable. By design, there are some recommended ports:

configure the ports for which the JIT VM Access will be applicable

In my case, I removed these ports and click “Add” to add a new one:

Add port configuration

You can configure a max request time, which is the time remote access will be available for this protocol.

You can configure a max request time

Once the port is added to the configuration, you can notice in the “Configured” tab that your Virtual Machine is visible:

Notice in the “Configured” tab that your Virtual Machine is visible

What does it mean? You can now try to run a remote session to this Virtual Machine through the RDP protocol but it will not work because 3389 is not allowed in the NSG.

Remote session to this Virtual Machine through the RDP protocol

In order to allow access through 3389, we need to request an access. Go back to the security center blade and click “Request Access”:

Request Access

Now, you can open the port and you also can allow an IP range for 1 hour.

Allow an IP range for 1 hour

VSAN from StarWind eliminates any need for physical shared storage just by mirroring internal flash and storage resources between hypervisor servers. Furthermore, the solution can be run on the off-the-shelf hardware. Such design allows VSAN from StarWind to not only achieve high performance and efficient hardware utilization but also reduce operational and capital expenses.

Learn more about ➡ VSAN from StarWind

Let’s try once again to run the RDP session to this Virtual Machine, and now it works because 3389 is allowed in the NSG.

Run the RDP session to this Virtual Machine

Conclusion

Azure Just in Time is a great and helpful feature that allow or deny access to your machines in Azure. Thanks to JIT VM Access, accessing to your Azure servers will be more secure.

Views All Time
2
Views Today
11
Appreciate how useful this article was to you?
No Ratings Yet
Loading...
Back to blog
The following two tabs change content below.
Nicolas Prigent
Nicolas Prigent
Nicolas Prigent works as a System Engineer, based in Switzerland with a primary focus on Microsoft technologies. Nicolas is Microsoft MVP in Cloud And Datacenter Management with 8 years experience in administering Windows Servers, Hyper-V and System Center products. He also received the "PowerShell Heroes 2016" Award.